3
My Background n Clinton Administration Chief Counselor for Privacy, 1999-2001 – White House coordinator, HIPAA privacy rule – Chair of White House working group to update wiretap and surveillance law – Much work on computer security, encryption, and other security issues

5
I. HIPAA and Private Sector Security n Today have heard the many, many components of state-of-the-art HIPAA security compliance n Your possible concerns: – Cost – Lack of technical expertise – Interfere with health care and other work – No management support to get from here to there

6
More to worry about n FTC and the Eli Lilly case – Medi-messenger to remind users to refill prescriptions – 669 names of Prozac users put in the To line rather than the Bcc line in June 2001 – Everyone agrees was unintentional – ACLU complained to the FTC

8
Lilly n Lilly web site said: Eli Lilly and Co. respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests privacy as they take advantage of this resource n FTC claimed deceptive because of failure to implement internal measures appropriate under the circumstances to protect sensitive consumer information

13
Security as Less Hard n Draft HIPAA Security Rule – Most of it is codified common sense – Have backups, disaster recovery, good passwords, and so on – How easy will it be for HHS to surprise everyone and have a much stricter and more regulatory security rule? – Not very. Would be unfair surprise and more regulatory than the HIPAA privacy approach.

15
Security in the Private Sector n Lilly as less scary: – Limited FTC enforcement staff – Settlement was essentially a good compliance plan going forward n As a society – We learned to lock our houses and cars – Some have to do more -- jewelry stores – Now are learning what good practices mean for our networked world

22
Security and Privacy n Good data handling practices become more important -- good security protects PHI against unauthorized use n Audit trails, accounting, are more obviously desirable -- helps with some privacy compliance n Part of system upgrade for security can be system upgrade for other requirements, such as HIPAA privacy

23
Building Them Together n Step One: Does the new security proposal in fact improve security? n Step Two: Is the new security proposal drafted consistently with privacy and other values? n Step Three: Are the right checks and balances in place to achieve security and other goals over time?

25
Conclusion n In both private and public sectors: – Survive Securely -- move up the learning curve to better practices – Survive Security -- do it without letting the security concerns prevent solid analysis of the other goals at stake